A quick update on additional wallets found through searches on PRNG offsets, and a lead on older weak wallets likely connected to lubian.com.
Table of Contents
Trust Wallet Ranges
Background
Long-term readers may remember the summary in research update #2, where I first looked at the different weak wallet sub-ranges that are defined by the Mersenne Twister Pseudo Random Number Generator (PRNG) and the “Trust Wallet” style of deriving private keys from it.
The results fell in roughly two distinct groups: a large group of wallets based on 128 bit of secret key, and a much smaller group of wallets with a 256 bit secret key. In the 128 bit group, the Trust Wallet CVE-2023-31290 vulnerability accounted for a large percentage of wallets created after late 2022, but there was also a significant portion of older wallets that must have come from an earlier vulnerability in another (yet unknown) wallet software.
The 256 bit group was special, since several wallets had massive Bitcoin transactions and are tied to the lubian.com organization and the associated craziness, as outlined in research update #7 and later updates.
In 2025, I looked into wallets with keys generated from predictable PRNG offset positions and discovered more lubian.com related hits. For keys derived with identical PRNG seed values, this also ties the corresponding wallets into small clusters, suggesting a common origin between them.
New Data
I recently revisited research results from the PRNG offset search into the 128 bit range, which had revealed over 1700 additional Bitcoin addresses from previously hidden wallets. The new address list has been in the milksad data repository since November 2025, but I didn’t write about it yet.
Some quick stats of the wallets with 128 bit PRNG offset keys discovered there so far:
- First usage observed 2018-06-19 via (via 183f26d0..0fc21338)
- About 5359 BTC of total transaction volume (roughly $20.5M USD at the time of transaction)
- Most remaining funds have been drained by attackers
- Involved in the 2023-07-12 theft event with ~0.36 BTC (via a22b33a9..8f8f774b)
Similar to the PHPCoinAddress vulnerability where PRNG offsets have to be searched, it is impossible to do an exhaustive search of all combinations, so the listed figures are a lower bound. The deepest PRNG offset usage discovered here so far is 512 rounds, but there may be more.
lubian.com Related Research
Analyzing the Bitcoin transaction history of the previously described group of weak 128 bit wallets, there are some unusually large transactions in late 2018 and early 2019, starting with transactions 61ce37d1..7e5a5948 and 33b4699c..79f0c47a that brought in over $9.5M USD.
Within the discussed 128 bit range, there are multiple clusters of different wallet keys created from the same PRNG seed at different offsets.
Some of these clusters use only P2PKH Bitcoin addresses or mix P2PKH and P2WPKH. However, there are at least two clusters which have a strong similarity with clusters confirmed for the lubian.com wallets:
- Only P2SH-P2WPKH Bitcoin address type usage
- Mostly
m/49'/0'/0'/0/0path usage - Large transactions on at least one wallet of the cluster
There are at least two clusters which match this pattern:
| PRNG index group | PRNG offset | Primary Wallet Address | Comments |
|---|---|---|---|
| A | 16 | 3CuiXreUwP8G2YE4YYQY238d4wtAnFVnEZ | |
| A | 32 | 37SzXiWMJQ7j73Rs9F6yJ5jCDPt6gVszPM | |
| A | 48 | 36grqBJViu457tztHbYy8fshczyX2HhWVx | |
| A | 64 | 323CUfz5BzeZLJf586oz3vUJYMoRNufWcR | |
| B | 0 | 38QMQsck2mR5BatuBJvfvMyWG6QB5KM4Zs | |
| B | 0 | 3Qc5uQWv12yZQz4pDPvTS814F9N8CJkfBX | m/49'/0'/0'/1/0 path |
| B | 16 | 3438JdLG4wPUnwfiVG1HgtKkNF1JV9jm2E | |
| B | 32 | 3PLWy5v6Tv9xTwvXeDK8eX5TRfcvGmtzPj | |
| B | 48 | 35FFaVLmmoVEJqUKRvUwibYTfv2oKhJxW8 | |
| B | 64 | 3Ccz69UkgebcDuvL3bmW9wMUAybwvQbK1T | |
| B | 80 | 3Dh5dEVyB9pTjZf5Po6iJTzTQ88L2om5sn | |
| B | 96 | 3DxAm9XytF7sXFg8V8Y85nCGEpS3GN61fE |
Technical notes (click to unfold)
- PRNG offset in rounds
- Each key generation requires 16 rounds to produce 128 weak key bits
- Wallets with the same PRNG index ID were likely generated in the same session
- BIP39 mnemonic wallet
- Derivation path
m/49'/0'/0'/0/0unless noted otherwise - PRNG index groups are numerically different from previously reported results in the 256 bit range
The listed two groups of twelve wallet addresses have a combined Bitcoin transaction volume of over 5196 BTC, covering most of the volume we listed earlier.
I think it’s likely that the wallets in this new list were also controlled by the actor behind lubian.com:
- About 24 BTC (roughly $0.95M USD) remained on these wallets through 2020-12-28, but unlike other
lubian.comfunds from the 256 bit range, no money was moved or stolen that day- Perhaps the thief did not know about them, or had a reason to skip them?
- The remaining funds were located on addresses of both PRNG index group A and B
- group A: via address 37SzXiWMJQ7j73Rs9F6yJ5jCDPt6gVszPM
- group B: via addresses 3PLWy5v6Tv9xTwvXeDK8eX5TRfcvGmtzPj and 3Ccz69UkgebcDuvL3bmW9wMUAybwvQbK1T
- Crucially, over 23.5 in remaining BTC moved to 3JQDrsy65fy218VUsSMQiWP6UHEjDFUpat about two weeks after the 2020-12-28 theft
- This destination address directly ties the funds to the
lubian.comactor, since it has also received substantial amounts of Bitcoin from the 3Pja5FPK1wFB9LkWWJai8XYL1qjbqqT9Ye wallet address on 2020-11-24 that is confirmed to belong tolubian.comvia the DOJ documents.
- This destination address directly ties the funds to the
Which Software Was Responsible?
Clearly, some vulnerable software program that generated weak wallets in this 128 bit range did not re-seed its MT19937-32 PRNG state between the creation of different wallets. This led to multiple occasions where such interconnected wallet clusters were created accidentally, most likely once multiple wallet creations were done during the same software session. While it’s technically possible that two unconnected users pick the same PRNG seed, it’s very unlikely that this happens accidentally multiple times for the same seed value, with similar on-chain Bitcoin usage patterns, substantial Bitcoin amounts, and within a short time frame.
My current hypothesis is that the same vulnerable software was involved in both 128 bit and 256 bit sub-ranges, which would explain similar patterns and overlaps between the relevant wallet owners. On a technical level, this is plausible since the two ranges only differ in the BIP39 mnemonic length. Wallet software frequently offers end users a choice between 12 and 24 mnemonic words for BIP39, with 12 words often chosen as the default due to ease of use.
At the moment, I think it’s possible that lubian.com was not the only user of this software, considering other low-level activity before the major transactions and after the theft event. It would be really interesting to know which exact wallet software was used here to cause this multi-billion-dollar cryptocurrency weakness, if it was open source, and for how long it contained the vulnerable code. Available data suggests the flaw was introduced around mid-2018. If you have specific suggestions for which software this could be and why, let us know!
Research Note
A quick reminder that we have no involvement with the funds’ former and current owners or any withdrawal of funds in this range. Most Bitcoins in question were moved years before we as the Milk Sad team looked into this topic, or reported anything about it. As researchers, we’re mainly trying to shine a light at what happened, hoping to help avoid future disasters through more public awareness of the dangerous software flaws that caused them.